eh subjective experience

but we've deviated off-topic

🥸

so gonna reel in the convo here

if you wanna discuss/get assistance with an academy module ask here; otherwise figure out how to link your htb account cough #welcome cough and just talk nonsense in #general

Ok

if anyone could advise me on this, please :3

UPD: I think it has sth to do with HTB key in the end of the section, figuring out how to connect using it (it's a text file)

Hiii,
I've got a problem with the skill assesment of the wi-fi penetration testing basics.
It seems that I'm not capable to see a lot of frames from the access point HTB.
I need to capture the EAPOL to actually crack the passphrase.
I'm also not capable to do a deauth attack to the target.
Does anyone had an idea of where the problem could came ?
PS : there's an update after almost 3 hours and half...

I'm working on Active Directory Enumeration & Attacks, but I'm having trouble connecting to the windows machines over RDP. Either it won't connect at all or my connection drops within a minute. Is there maintenance going on or am I doing somehting wrong? Any advice?

Probably your end. Those VMs start as you set it to start.
Should take a couple of minutes to load the whole environment

Yesterday I waited at least 10 minutes before trying to connect, today I did at least 5, but the problem still persists

I just got kicked out of a connection again

I did this SA a week ago and had no problems

You can set the auto reconnect flag if you think your connection is dropping
But without any error output it’s difficult to know what the problem is

Thanks for helping, for completeless this is my command output:

┌─[eu-academy-6]─[10.10.15.81]─[htb-ac-1645837@htb-l6f2lkitp6]─[~]
└──╼ [★]$ xfreerdp /u:htb-student /p:Academy_student_AD! /v:10.129.54.62
[08:22:59:380] [26329:26330] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[08:22:59:380] [26329:26330] [WARN][com.freerdp.crypto] - CN = ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
[08:23:00:583] [26329:26330] [ERROR][com.winpr.timezone] - Unable to find a match for unix timezone: US/Central
[08:23:01:783] [26329:26330] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[08:23:01:783] [26329:26330] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[08:23:01:796] [26329:26330] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[08:23:01:796] [26329:26330] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[08:23:17:231] [26329:26393] [WARN][com.freerdp.client.x11] - failed to get clipboard data in format UTF8_STRING [source format CF_UNICODETEXT]
[08:24:03:912] [26329:26330] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[08:24:03:912] [26329:26330] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[08:24:03:912] [26329:26330] [INFO][com.freerdp.client.common] - Network disconnect!
┌─[eu-academy-6]─[10.10.15.81]─[htb-ac-1645837@htb-l6f2lkitp6]─[~]
└──╼ [★]$ xfreerdp /u:htb-student /p:Academy_student_AD! /v:10.129.54.62
[08:24:23:684] [27877:27878] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[08:24:23:684] [27877:27878] [ERROR][com.freerdp.core] - failed to connect to 10.129.54.62

So it connect at first, drops and don’t connect anymore?

Yes, and then after a few minutes I can connect for 1 or 2 minutes before disconnecting again (which just happened)

Try setting the auto reconnect flag and see if it will hang

I was able to complete an assignment in between getting disconnected, but this is not really nice to work with

I'm spinning up an instance. That's on the Privileged Access section, right?

It was "Internal Password Spraying - From Windows"

https://academy.hackthebox.com/module/143/section/1422

still no connection to internet, am I doing sth wrong?

And it stayed stable? Strange. Not sure why my connection is so bad. Would Pwnbox location matter a lot?

Yep

Don't know actually. Worth switching

Alright, thanks for checking for me!

just a quick question how to perform sql injection on post data with json i am trying to enumerate coloums with union but i am failing

I think it's worth attempting to inject the payload without the ' in this case.
as it was taking it as an integer in the request, there's a chance the query is something like SELECT * FROM table_name WHERE id = 1 not SELECT * FROM table_name WHERE id = '1'

You can see if the injection works by sending something invalid and a OR clause with a tautology

I'd still enumerate number of columns with ORDER BY instead of with UNION SELECT

Hello, I'm at the XSS Filter Bypass section of the Advanced CSRF & XSS Exploitation module.
I am using a combination of techniques and I can successfully write a comment that attempts to trigger a request to an external source.
I am finding some difficulties as the CORS settings are blocking such attempts.

For this reason, I am trying to request http://vulnerablesite.htb:36962 as it does not invalidate the Same-Origin Policy.
However, I cannot understand why am I getting the following error Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://vulnerable.htb:36962/. (Reason: CORS request did not succeed). Status code: (null).
It is the same schema, domain and port damn it!

Module - Laudanum, One Webshell to Rule Them All
Stupid question please - I was caught off guard when a URL I thought was incorrect due to an extra slash '//' actually connected just fine. Both http://status.inlanefreight.local/files/demo.aspx and http://status.inlanefreight.local**//**files/demo.aspx work, and packet capture confirmed the browser isn't altering the request. Google/GPT wasn't much help. Is there a reason why this might be the case, and is it good practise to use double slashes for web shells?

hi, is anyone able to give a hint for password attacks hard lab, i found a few open services but not having any luck getting into any of them
i got the username from the description but also tried the more general usernames list incase that user isnt the initial entry but nothing seems to be working 😦

Yup I did but going through 1400 names and chisel is not fast

tried sir and still no luck

i quite don't follow along could you re iterate things in simple words for my understanding

Not sure if you got this fixed or not, but put the password in single quotes like this 'Academy_student_AD!' same with username

Hey folks,

I was just seeing if I can get some help on the CPTS path in the info gathering - web addition for 'Creepy Crawlies'. The issue I am having is running the ReconSpider.py.

So scrapy is installed and showing up but now that I have downloaded and unzipped the ReconSpider.py file, when I run the command below I get a few errors. I commented out a few lines but that only caused more issues, anyone know why the import scrapy and proceeding lines are being flagged?

python3 ReconSpider.py http://inlanefreight.com

Below is the error message I get related to the first line in the ReconSpider.py file, line 1.

Attribute error: partially initialized mode 'scrapy' has no attribute "Spider" (most likely due to a circular import).

#modules message

Help

in the first picture, you were sending just an integer 1.
if you try the payload 1' UNION SELECT 1,2,3,4-- - to test for SQLi, and it did not work, maybe the reason is because the actual query behind the scenes is something like this SELECT * FROM table_name WHERE id = 1.
which explains why your payload won't work, as when you inject it, it'll become SELECT * FROM table_name WHERE id = 1' UNION SELECT 1,2,3,4-- - where there's no opening quote.

so my suggestion is, try to directly append the payload such as 1 UNION SELECT 1,2,3,4-- - without the ', in this case, if my idea was correct, the query will look something like SELECT * FROM table_name WHERE id = 1 UNION SELECT 1,2,3,4-- - which should work if the number of columns is correct.

I would also suggest as @dapper moth said, try to enumerate the number of columns using ORDER BY instead of UNION.

Hi everyone, I’m working through the HTTP Attacks module doing the Exploitation of Request Smuggling exercise. I’ve managed to smuggle a request, I confirmed this by visiting the site after sending my initial request. However, when I send one for the admin to hit, it doesn’t work, no cookie is ever captured, it’s like the admin bot isn’t even active. Is anyone able to help me with this as I’ve been stuck all day…

Hiii,
I've got a problem with the skill assesment of the wi-fi penetration testing basics.
It seems that I'm not capable to see a lot of frames from the access point HTB.
I need to capture the EAPOL to actually crack the passphrase.
I'm also not capable to do a deauth attack to the target.
Does anyone had an idea of where the problem could came ?
PS : there's an update after almost 3 hours and half...

Got to the Skills Assessment section of the XSS and CSRF module, is the exploitserver even meant to be used to deliver possible CSRF or has everything to be done from the vulnerable app?

If I remember correctly, you do need to use the exploit server for part of it

You can first try to inject a single quote and comment the rest to attempt to understand what the code might be, just like @hasty mauve said.
If you inject "1'-- -" and it doesn't error out, the backend code has ='[number]'. If not it might be as it was stated (SELECT ........ = [number]).

Can you someone help me with the below question from login brute forcing module?

What kind of help do you need? Maybe mention the steps you took?

the first question was to brute force the ssh of the ftpuser for which i got the passsword for ftpuser.

but i am not able to ssh into the machine.

also there is no ftp port open

You're given a public ip and port yeah?

yes

Look into the man pages of ssh on how to specify a port

ssh is on port 22 only

No, it's not

It's running on the port that the public ip gives you

see.

okay let me check.

22 is running an ssh service, but that's locked down as it's a docker container

The only scope of public ips is the port given

ohh

thanks for the tip.

also, i got the flag. thankyousomuch.

Because

1. they're public
2. they're public
3. they're public
   ||4) they're public||

Meaning anyone can interact with it

yes got it.

hey all

I am very stuck stuck at

Linux Privilege Escalation

Python Library Hijacking

Follow along with the examples in this section to escalate privileges. Try to practice hijacking python libraries through the various methods discussed. Submit the contents of flag.txt under the root user as the answer.

i have tried making the file and to run it but i keep getting errors

i am kind of confused on what to do if someone has a tip ?

Intercepting Web Requests. We are supposed to click the green button to start intercepting

for some when i do it doesnt chage

referring to HUD button

HI there. May I please get some nudge on Password Attacks - PtH section? How can I reset the Windows registy key to be able to RDP via PtH , if I can't RDP because DisableRestrictedAdmin is 0? Chicken or the egg situation here. Or am I missing a 2nd RDP cred, to do this?

Unless I use || nxc || ?

https://tenor.com/view/keep-smiling-always-smile-laugh-joker-gif-gif-18917392

indeed, lol

Not all methods would be viable

Evil-winrm

Indeed

Thanks

I just used || nxc || instead

we had to think out of the box on this one

I believe this module or a previous gives a command line to allow you to rdp

Iirc it's a registry key to DisableRestrictedAdmin or something like that

Hmm, really? maybe I missed that.

resuming after a days ... maybe I am missing something

Yep read the section again

It seems counterintuitive to enable restricted admin with how the command reads

tried all of them and when i run the script i get
AttributeError: 'NoneType' object has no attribute 'available'

I don't recall struggling. Maybe you're overthinking it

i make the file psutil.py with the provided script cant rm the file into python3 not allowed tried running it from directory as where the memtest is with sudo /usr/bin/python3 ~/mem_status.py

i get the error

placing it in tmp also the error

can u paste the script here

#!/usr/bin/env python3

import os

def virtual_memory():
os.system('id')

hmm

idk

lmao

xD

Hello guys

I've just finished the AD skill assessments

And I am wondring

On the assessment 2

Where we had to connect to mssql server

I achieved a dead end so I had to see a writeup

He used print spoofer

To escalate the privelege

My question is

How could I tell if such a thing is applicable in a scenario like that

well done!

As the module did not provide a comprehensive explanation of that thing

Thank u , was a great challenge for a beginner in AD attacks

It doesn't provide an explanation, but it does talk about it and you should always be aware of what you can do

SeDebugPrivilege is what gets leveraged iirc

The module itself mentions SeDebugPrivilege and various tools to take advantage of it, like the various potatoes

And printspoofer

I am afraid of such a thing in the exam

Everything you encounter in the modules can be on the exam. You won't run into anything you didn't encounter or learn

Yes u r right

But they didn't go through the exploitation of them all

Correct

Doesn't make them less important

so.... I am trying to connect to \dc01\david and read the file. I managed to obtain the hash. But once I've obtained a shell with that new sucurity context, I am getting asked about david's creds again

this is still Password Attacks - PhT section

If I am David already... why on earth can't browse or inspect his share?

Sometimes it's a bit buggy

hmmm

should I reset?

https://tenor.com/view/the-office-ouch-michael-scott-steve-carell-lip-bite-gif-18069081

Can't hurt

¯_(ツ)_/¯

https://tenor.com/view/doctor-who-wilfred-mott-sad-wave-disappointed-gif-5710930

ohh man

start all over again, lol... maybe is time to play with the kiddo

And take a break

You got that far, you should really save credentials and hashes

indeed

Thanks

Indeed
BTW thx about ligolo ng it was supper fast as if I was on the same subnet

Success

But this time... I used my own Kali box

ayo which module u doin

I think I just did that recently

u still need help?

which ad module? usually its really hard to find writeups for tier 2 modules

since they aren't even officially allowed (although there are still some out there)

heyy yes please i am at

Linux Privilege Escalation

Python Library Hijacking

if I remember correctly that part was kinda broken

like I did it in an easier way than it was intended

can u do a sudo -l and paste in the output

wait a sec tho I think it was the intended way

I think u dont have the full python script running yet

oh wait I just realized what I did

so u have the mem py script

They r both a little hard u have to sink a sulotion on the internet but the second one was a little bit harder then the first

what I did was since u can already run it as sudo (even the guide tells u and u know that already)

I added in some lines to run bash and get the flag for me

or I don't think u even need get it automatically but u can make it embed

if u need more help than this u can say

nah I mean what tier was it?

cuz there is one in tier 1, I think also one in tier 2 and a shitton of AD in tier 3

yeah that was it

i make the file psutil.py with the provided script cant rm the file into python3 not allowed tried running it from directory as where the memtest is with sudo /usr/bin/python3 ~/mem_status.py

i get the error

placing it in tmp also the error

forget about the psutil

doesn't matters

They reuse the same targets for a few of them

ye I know

I just didnt remember for a sec what he could run as sudo without pw

You can ||edit|| the file

I think he does knows that no?

Not the mem_status, but the library itself :p

but thats the thing

u dont even need the library, just spawn a shell with mem_status

Maybe I'm misremembering

launch it as sudo and thats it

nah u aren't misremembering

I just recall it being easy

Im just giving an easier solution

sometimes some vms have misconfigurations

Are you sure you didn't have to modify the file/library

ye Im sure, u can already run the mem_status as sudo

¯_(ツ)_/¯

u can actually run anything .py as sudo

since u literally have access to the python executable itself

anyway for if I remember correctly, the assembly module, there was literally a vm where the gcc didn't work. I couldn't assemble the files on the target vm

Anyway we're spoiling a bit much

not really tho

just giving him instructions he already discovered

It's above t0

So yes.

writeups and flags aren't allowed

but u can give instructions

It's still basically telling someone "yeah just do this"

Which is, in essence, the same thing as giving them the answer

I mean we just make it easier for him, I think he would just find any other writeup then

There's a difference in:
Hey try running with sudo.
And
Run the command with sudo because xyz reason

I'm saying we're starting to stray into the latter

well he already knows the sudo part, I just told him to spawn a shell

i have restarted the box i did try it with sudo but got error

bro

what error

restarting the box won't help this time xd

i am scrolling back xD

there are boxes that malfunction, but that is not one of them

AttributeError: 'NoneType' object has no attribute 'available'

that doesn't matters

bro just read what I wrote

thats all u need

and thats just a plain python error

which u are supposed to get anyway

That's just a silly error with the python script

You're trying to diagnose x when it's not important

it's literally in the guide

Lets not share exact text from the module

As again it's above t0

it was in the module tho I don't know whats wrong with that

It's still sharing paid content

Lol

I copied like 10 lines

it's like sharing 3 seconds of a 3 minute song

Still sharing content

bruh u are overcomplicating

People have been nuked for similar

why

Take it to DMs

I'm stating what I've seen be enforced

meh I mean if he cannot solve it from the previous comments, then let it be

👀

Also the point of the exercise is to show off library hijacking not cobble together a script. So while there may be an "easier" way, the intended is via library shenanigans

I mean sure

i am trying but just cant get it to work

Look, if marcie has said you're over sharing, you're over sharing

okay, I was not complaining

Any module over T0, take it to DMs

I'm not saying you were

I'm just stating our postition.

I think we need to state this every 10 minutes or so, it feels like.

damn, that must be tiring

at this point it should be just automated with a bot to send it in chats xd

i. cant edit the mem_status.py

i made the psutil.py with the script

#!/usr/bin/env python3

import os

def virtual_memory():
os.system('id')
i cant put it in the python3 directory so i just run

sudo /usr/bin/python3 /~mem_status.py

Mess around with libraries as shown in the section

tried putting it in /tmp/
but the command i run it with doesnt work with sudo

You don't need to edit mem_status

what is the output?

But at this point take to dms

Since it seems John is eager to help ya

can i dm you john?

I mean meh, Im just interested if he gets a sudo error or something else

I am stuck with this question I tried a lot of things but nothing gave me the answer
It is on Information Gathering-web edition the last section Skills Assessment
What is the API key in the hidden admin directory that you have discovered on the target system?

Robots are tricky

Module: Intro to C2 Operations with Sliver
Section: Skills Assessment

For the last question, I have tried both the Abuse KRBTGT attack and the TrustKey attack but for both of them, when I try to access the 2nd domain I get a "Access Denied" followed by a "Does not exist" error. Any advice?

did you try the administrator user?

yeah, didn't work. Figured it out now though and have got a proper connection. I did have a question though: ||Why does it only work under the context of the MSSQLEXPRESS user?||

1. English
2. That's not the right event ID

ok

i don't think this event type is listed on that page; but google can help you

yeah i search

there's a few audit related Event IDs

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-audit-policy-change maybe this page can help you narrow it down

the id i saw you post here was related to permission changes NOT audit setting changes

oh ok

but the numer is 4719

i have found that

cant remember the skill assessment but i dont think that was the case

are you sure

nah

that's wrong

:P system audit policy and auditing settings are two different things 😉

mmmm

okok ty i go check the link on top

is there any workaround for this? i tried finding python version of the exploit (dirty pipe) and also tried updating the dependencies but hit a wall when one of the commands required sudo

got it nevermind a similar post on ptunnel-ng helped. you compile it statically and then pass it over

CAn anyone give us a nudge for final question of Skill Assessment on Dacl Attacks II. I have users tangui NT hash but not having luck with the hint

happy new year

happy new year. for the intro to network traffic analysis module the Tcpdump fundamentals section is there an alternative to eth0 if it isnt in the pwnbox?

pretty sure parrot has nic's named 'ensXXX', type ip a to look at all the network adapters

cause when i checked the tcpdump for the interfaces it wasnt there. just curious

man, Linux Fundamentals, scratching the surface and its a whole lot,

Do I need to install bloodhound on the parrot htb image I installed?

i think its fun

i just wanna understand something tho, so HTTP, HTTPS requests are handle by server-side scripting languages like PHP, Ruby, Lua..idk.. etc.. right?
whatever data required for HTTP to work between two devices it is sent from web browser to server and server manages that data with PHP? as well as the requests and all right?

web browsers deal with (connect & communicate) web servers using protocols, the data of these protocols are application-level (OSI model), the web server like Apache formats those requests in PHP and PHP code then manages the Mysql database, then PHP tells Apache server to send HTML page or something?

do the boxes for academy skill assessments get updated? doing xss module and vulnerable field i had last time isnt returning a response now

thinking could be a port issue on my side otherwise

ahh yes i found ens3

is session hhijacking module bugged? i cant even get a vulnerable field , when i had it last time

If you’re gonna ask that about each module and section, I think you might want to check if your notes are correct 😅

its just the one section, i ran into a similar issue where it wouldnt consistently get the connection last time, to, had someone check my notes back then and they seemed to think was correct

any answer?
I'm tryina lay a foundation here ya know

That’s not really from academy is it?

any chance of dming you? i've retried all methods given on academy module page and cant get a response back using php server

I’m on my phone, it’s 5:26 in the morning, but sure, I’ll see what I can remember 🙂 what module and section is it exactly

sesssion hijacking in xss

Hello guys i just started the htb academy

im pursuing the security analyst path

wish me good luck

Good luck and have fun

Please read #welcome and #rules it will explain how to get verified and you’ll get access to more channels

Is there a module that covers setting up the infrastructure for phishing in pentests?

no

when i run the write out the packet capture to pcap is it supposed to take more than 10 minutes? lol

L4 sent me

https://tenor.com/view/who-gif-4519872

for the Documentation & Reporting section - I just cannot get pass this login? I cannot change the username and it fails to login after I have inserted the provided password in the material

Try remmina

Also; in this screenshot your password is in the username field?

the username field is prepopulated and cannot be edited

It looks like you forgot a space in your command

ohh remmina works. thanks!

can i get a little help with understanding this question? i dont know if they want me to write out the full command or just the switch commands

man tcpdump

You'll want to write the full command. All are there under the Basic Capture Options to answer it

ok. thats what i was wondering. do i just pick a random interface then?

No interface needed to select

Also you don't need the full command

Just the -[options]

yeah mb switches and packets

ooooh ok

thanks, sorry i didnt explain the question very well

The questions in this section flip between full command and just switches

And module*

ok. thank you. im going to try again

You can combine switches btw

yeah i noticed the hint when it said it

-a -b -c can be condensed to -abc

and the question wants it in a specific order

You can combine all the switches here

Yep, in the order asked by the question

• no name resolution
• verbose
• ASCII
• only 100 packets

and hex 😄

Well that's the same switch 😉

it doesnt matter which order they mentioned for that switch though right? im over thinking this cause the other question says Hex and ASCII while the current question im on says ASCII and hex >_<

You only need one switch for that, not two

ok. so its not going to mess it up.

Nope

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4``` Working through AEN rn but having some issues with proxychains on pwnbox. Proxychains set up on 9050 on attack and listening on the target after dynamic port forwarding but not getting any output at all. Anyone have this issue before?

i had to retype the dang thing like 20 times before completely highlighting the box and deleting it to retype it again lol

No, because I use ligolo -- no proxychains needed

Also use netexec instead of cme

The next question I'll give you this: sudo

yay i finished that section. thank you.

oh yeah bet, same result tho really strange, was working few hrs ago

where the proxychain enjoyers at

Did your proxy process die?

Nah I've been on fresh sessions on pwnbox practicing and now this is happening all of a sudden

is there a link i can go to that suggests updating the section? i found that since there isnt an eth0 in this section that using tun0 is easier

i am on module password attacks in section attacking active directory and ntds.dit . in question of this section On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive) i have to find the naming convention of the organizaiton if i create a username list how can i know which ones are valid via crackmapexec bcz on allthe username the output is logon failure

is there any other technique find valid username

#1234357888114364508

--local-auth, you'll need to also spray with a password list lol

i tried that too but every attempt have same output logon failure

like they tought on the section to use google dorking to find naming convention

but on hint they areusig firstinitiallastname as a naming convention

Yeah inlanefreight.com isn't the same as inlanefreight.htb, technically

No OSINT needed for this

is there any other means to find if the username is valid or not

Just generate list, and bruteforce with pws

yeah but i would be a very time consuming .

At most 30 minutes

i dont know why my crackmapexec is very slow even when i increase the threads i dont see any differenc in speed

Just use netexec

let me try netexec

Crackmap is deprecated and no longer maintained

yeah no wiki found by me

https://www.netexec.wiki/

i wonder why it took so long when i first did it a while ago >_>

netexec is slow too

Just have patience

Also 30 threads is like way less than default i believe

Also i wouldn't use rockyou for password attacks

Use the provided wordlist or mutated wordlist

Your bigger issue is using rockyou, and not the provided wordlist/mutation

Either way, just exercise patience. Come back to it in a bit

And it will find the pw

yeah only thing i can do now

Also

DONT USE ROCKYOU

yeah i saw the hint

Rockyou isn't a good wordlist for bruteforcing

As it's extremely large and impractical

it is irrelavent now, isnt it?

Always use provided resources in a module before resorting to other lists

I mean, I want them to get the answer before the heat death of the universe

thank you 🙂

fr man it has LOTS of data but nothing is relavent

I mean you can manually edit the username file given the hint if you really want, or just use the assumed username instead

Save some time

happy new year everyone

Also @empty trout Consider the question is asking for a specific user so you don't need it to run through all the other names

yeah i know the username firstinitiallastname

Ye

I'm just saying if you don't want to use the hint

i used it

Just for abstract thought in the future where you aren't given a hint

forgot to use sudo before proxychains with cme/nxc gg good start to 25'

Oof

'26 is your year

Also you put the apostrophe on the wrong side

Man's out here in 2500

bruh

'25 alr over for me

Windows Fundamentals, Skill Assessment

got both user and group created, SID answers are wrong for some reason

Get-LocalUser -Name "Jim" | select Name,SID
Get-LocalGroup -Name "HR" | select Name,SID

Tried +1 and -1 increment to subauthority3 -1 works... anyone know why?

try with wmi related cmdlets

They give the same value using:

Get-WMIObject Win32_UserAccount | ? {$_.Name -eq "Jim"} | select Name,SID

lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\syncron
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\syncron' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)

any idea why im getting

im running the powershell session one of the DC admins

Much info, google yes

yea but iam already running with somone who as Ds replication rights

Brave has integrated a kind of ChatGPT.

Have you read the information on the print screen?

Does the user have the appropriate rights?
Is the DNS resolution correct?
Does the policy even allow it?
Is the time between the client and the DC identical?

yea the permissions i have are appropriate cause im running as one of the users the appropriate rights

idk the answer to the rest of your questions yet

Guys ,You all are hackers ?

No, we are people who play with computers and try to use things that were not intended by the manufacturer. 😉

So what is the reason behind to make this server

i think its cause i dont have the ticket imported in memory

Read #welcome and you know what this is about

What you do here

My shield next to my name reveals that I am a guardian of the rules. Your friend and helper in all Discord matters on this server.

So let me know if I can help you.

whats wrong with this?

mysql -u robin -probin -h 10.129.113.175
ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain

Hello team. I'm looking for assistance on #LinuxFundamentals.

I'm getting the answer wrong for the question How many total packages are installed on the target system.
Tried: sudo dpkg - - get-selections | wc -l and its giving me 3594

sudo apt list - - installed | wc - l its giving me 3579

Both answers are said to be incorrect. I'm using the spawn from inside

dpkg -l | grep -c "installed"

or

apt list --installed | grep -c "installed"

usually u dont need to remember and use all the stuff later on, the intro courses touch on a lot of stuff in case some people are interested about some specific topics plus there can be cases where a tool u used only once can come in handy

but ye they can be overwhelming for someone just started and the best way to do the modules is reminding yourself that you dont need to know all the little stuff now and routine comes from a lot of practice and its ok if u can only do stuff with research and help

Thank you so much. However, I'm still getting the error incorrect answer yet thats the only question I'm left with to complete the module

Whoops wrong commands, forgot it had the c flag already, try again?

You are a life saver. I really appreciate it. Now its fine

Module : Network Enumeration with Nmap > Service Enumeration Exercise > "Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer." but how shall I find the open ports, I have tried exerything ( -p-, -A, -n, -sV, -Pn, -sC ) and every other command. I have found that the server is protected by a firewall and you can't ping the IP normally, but in few scans I get the "host is UP" but no way to find open ports ??

@acoustic owl apparently there were tickets that were cached in memory that was causing issues with mimikatZ I purged them all nd command worked 💀

Idk if that was the solution or not cause then again it could be some network issue in the ss u sent

If it helped, it was the solution 😉

this is my first time answering in HTB so i will try my best to not give a direct spoiler

just look at the hint and look again at the ports you scanned and analyze them

if my answer is too revealing please delete my comment

The thing you need is taught right in the module so don't overthink it

There is no hint & there are no ports open ??

I scanned the IP many times with multiple options.... No ports open ? 🥲

they should be open make sure your vpn is correctly set up

i scanned them with a normal scan and they are open from the first try

1. Make sure the device is reachable (nmap -p 80 -sS -Pn <IP>)

2. Understand what each flag does, and try to combine them based on the scenario (e.g. since the device does not respond to pings, include the -Pn in all your scans)

hi, do I need to complete CBBH all modules to do the CWEE exam?

No. You need to complete all cwee modules

ok thanks, is the exam around the same difficulty as the cwee assessment or even harder?

The modules will prepare you for the exam. Other than that, I cant really comment on exam content or difficulty

ok thanks.

happy new year

Thank you. You too 😄

Hello team.
I need help with this one:

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

Proceed step by step.
The module explains how you can filter things

When you have filtered all URLs, you can count the lines.

Hi! Maybe anyone could help me with this debugging problem?
#1324026648223289435 message

Hello

hi

i need help...

i joined Hack The Box like 20 minutes ago

Just ask the question…

ok

i dont understand anything

hi

hi

Nice

cool

bruh

what the

lol

can you use the terminal?

yea

in the website?

your computers/attackbox's/online pwnbox's terminal

what

where

when

why

https://tenor.com/view/cat-crying-cat-cat-meme-cat-crying-meme-crying-cat-meme-gif-7433931244412524776

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

oh ty

https://academy.hackthebox.com/course/preview/linux-fundamentals

complete that module on the academy

it should help you

also #welcome and verify assuming you have an account

i have an account

im watching that video

then go to #welcome and verify yourself so u get access to channels

ok ty 😄

bro why is the beginning so haaaaaaard 😠

HELP MEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

i found it

why

oh

2021

@toxic mango @rustic sage stop tagging random people

-02222jop/boo0

i dont bruhhh

@storm elk : How do I report somethin'?

idk

What do you want to report?

What would you like to report?

anything

Can we do this on a secure line perhaps @storm elk , @acoustic owl ?

a tree

no

a tree

pleaseeeeeeeeeeeeeeeeeeeeeeeeeeeeee

This isn’t general chat

Stick to the topic.

ik i like jokes

sorry

How about I make a ticket @storm elk , @acoustic owl ?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

@toxic mango I won’t warn again. Stop tagging people randomly

sorrrrrrrrrrryyyyyyyyyyyyyyyyyyyyy

my DMs are open

You’ll find out what happens next

tell me

How about I make a chatgroup for the 4 of us @toxic mango ?

Seems like I need to be your friend to do so, one moment, will send a request.

ok

what is that

sus

@storm elk @acoustic owl I'm sus!

u are

oof bro got muted

Hello excuse me:

"It is also useful when the target host has a personal firewall that drops incoming packets but allows outgoing packets. In this case, a Connect scan can bypass the firewall and accurately determine the state of the target ports."

i don't understand how does this makes it different from -sS connection?

both sends an incoming SYN from the target's perspective

i mean when the sccanner send a SYN, shouldn't it get blocked? then -sS and -sT both should be not allowed, no?

This part confused me too lol, if you got an answer kindly mention me as no one answered when i asked

in shaa allah :>

in "Pivoting, Tunneling, and Port Forwarding" model "RDP and SOCKS Tunneling with SocksOverRDP" i got an error while Loading SocksOverRDP.dll using regsvr32.exe

See if defender deletes it

You have to turn off real-time protection

Hey everyone! Happy new year! I would like to ask for help. There is an old game called goodgame gangster and i always wanted to cheat myself money because i bought for a lot of money in the past but for a few years now i still cant cheat money with cheat engine , cant figure out how to do it sadly , is there anyone who can help me about it please? It would be a dream.

There's a module for game hacking using cheatengine i believe, not sure if it covers what you're looking for

I will check it thanks. I watched a tons of cheat engine tutorials about pointers and everything but still cant solve it , i dont know why this old game is secure like this , its even easier to make a cheat for cs2 lol

Hi guys i'm on the "Login Brute Forcing" Module and on the "Web Services" tab with the tools medusa.

This module is easy so i just need to follow the course but before attack the ftp service (port 21) i need to check with nmap (like indicate on the course)

But i have this second screen : the port is closed.

And how many time restart the ip or change the vpn and the vm (mine/htb) it wont work.

Can someone help me pls

You should only be attacking the port of the public ip given to you

ftpuser is a username

Hello everyone, happy new year. Wish you all a great learning journey this year as well! Now I have a doubt 😅

In PIVOTING, TUNNELING, AND PORT FORWARDING, in the "Socat redirection" section. I can execute the windows payload and get a shell back using socat on the pivot. But I still had to use SSH tunnel with dynamic port forwarding to execute the payload through an RDP connection 😅 is there a way to execute the payload on windows system without ssh -Ding into pivot?

Thank you!

airdecap-ng -e CyberNet-Secure -p Password123!!!!!! /opt/decrypt.cap
hi guys for some reason this oassword works as if i am typing sudo !!

i googled but there arent people with the same issue

!! is a special operator in bash

Wrap the password in single quotes

Oh

My bad

I tried doubles

@fiery sparrow do you know maybe why my tunnel is up but on the portal connection is still red?

Single quotes passes it in string literals

Reach out to support on the website

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

For some reason i cant type in general chat

You need to read and follow #welcome instructions

Makes sense

I thought its the thing that shows who joined the server, i only read the rules

Also i don't believe that's an official htb account you tagged seems like some random that named their account hackthebox

Big thing in any server, reading #welcome

I understood it now, im just dumb as hell

I heard you have to pay for something in the site hackthebox

is that like a premium subscription or i have to pay to fully use the thing

both the main platform and Academy can be used for free, you just have limited access:

• on the main platform, you're limited to active content + 2 most recent retired machines
• on Academy, you're limited to Tier 0 modules

so if you want more content, you need to purchase a subscription

Thanks for help

• main platform has VIP, VIP+, and Pro Labs subs
• Academy has monthly and annual subs of varying access

if you are a current student at an educational institution, you should purchase Academy's student subscription

it is $8/mo and gives you access to all modules up to Tier II. that's more than half of the content on the platform

Rip on that, i dont have a card or anything, just joined this server bc of the community

🤷

Hi guys
Anyone doing HTB CTF try out

it doesnt work i dont know why and on the forum they said is the port 21 like on the course and we need to restart the machine

omg

i'm so dumb

https://tenor.com/view/hang-first-time-smiles-gif-14991372

can i ask a question about a module content here

since i need to paste the info

ok

So, it seems like the web server configurations do cover both GET and POST requests. However, as we have previously learned, we can utilize many other HTTP methods, most notably the HEAD method, which is identical to a GET request but does not return the body in the HTTP response. If this is successful, we may not receive any output, but the reset function should still get executed, which is our main target.

To see whether the server accepts HEAD requests, we can send an OPTIONS request to it and see what HTTP methods are accepted, as follows:
Bypassing Basic Authentication

Rado35@htb[/htb]$ curl -i -X OPTIONS http://SERVER_IP:PORT/

HTTP/1.1 200 OK
Date: 
Server: Apache/2.4.41 (Ubuntu)
Allow: POST,OPTIONS,HEAD,GET
Content-Length: 0
Content-Type: httpd/unix-directory

As we can see, the response shows Allow: POST,OPTIONS,HEAD,GET, which means that the web server indeed accepts HEAD requests, which is the default configuration for many web servers. So, let's try to intercept the reset request again, and this time use a HEAD request to see how the web server handles it:

HEAD_request

Once we change POST to HEAD and forward the request, we will see that we no longer get a login prompt or a 401 Unauthorized page and get an empty output instead, as expected with a HEAD request. If we go back to the File Manager web application, we will see that all files have indeed been deleted, meaning that we successfully triggered the Reset functionality without having admin access or any credentials: 

so in this scenario

we suceed since there isnt protection against unauthorized users

but isnt this a very very niche case

since the check is almost always done using a middleware

e,g, it runs before every requests no matter the type

you could apply that logic to everything. it should be the case people update their software, or don't code in vulnerabilities, or don't get phished. people make mistakes. staff changes all the time, knowledge leaves companies leaving things open that no one knows about, etc

and we also assume that the handler for the types is the same which is also very inlikely to happen since 99% of devs use frameowrks which moremor less use this convention .[method, () -> handler]

ok how do we draw the line since i dont believe this is something that will happen unless we are making our own http server building framework

what do you mean draw the line? from the pentester perspective, you want to test everything. you don't want to skip something just because "oh they SHOULD be doing xxx so i won't bother"

if that were the case there would be no pentests

well should i on each of my pentests against a website test absolutely every reource for idoring or if i have done it on atlleast 50 resources on the server still do it since there is alwys the posibility they forgot one

CVE-2023-29189 is a recent case of verb tampering

anyone have other recommendations for this since there isn't a module for it? I started looking into it because I should be able to get it paid for if it's less than 3k USD.

ok i guess my experience with backend is too narrow but how do you even assign the same handler to head and get by accident

like i cant imagine the code for that if the get handler has authentication but the head one does not and they still do the same functionality

this will be code duplication by the book

In php for example, if you don’t specifically check if it’s a HEAD or GET request, the script will just process it the same but just not return a body for the get request

but then they both will be handled in the same function handler which checks for the creds

In some usecases it will bypass it

isnt it roughly like this ```

php_server.get((r) => {
if(are_creds_valid(r)){
...
}else{
send_response(403)
}
})

like how does the head skip code ?

Can’t help you there @still elk That’d be illegal too.

Okay , thanks

how can i chat in general? @storm elk

follow the instructions in #welcome

on the Bypassing Security Filters exercise i succesfully executed the command but i can seem to find the flag

it is not in the newly created file

i even tried making flag.txt and checking it

but still nothing

Can I learn all this and become fairly proficient by studying this with no prior experience. I can barely do anything I’m an internet guy/cable man in the fact I work for an ISP and know how to install it, but other than that I do not know much.

Yes, but it’s a gradual process. Hack The Box (HTB) is a great resource for learning beginner to intermediate red team and blue team concepts. However, keep in mind that pentesting and similar roles aren’t typically entry-level IT positions. It’s essential to first build a strong foundation in the basics of IT, including operating systems, networking, and general cybersecurity concepts. HTB offers modules to help with these fundamentals, which are crucial to truly understanding and progressing.

Thanks for the response. Intrigued to invest in some educational information into the new year. My regards.

https://cdn.discordapp.com/attachments/476937565975609365/1324135727449247826/Screenshot_2025-01-01_13_48_54.png?

i have not seen this error for vpn before is this me or the box ?

your command syntax is incorrect

you need to use @ to specify the name server, @<name server ip>

dig axfr website.htb @iphere

?

is that more the line of correct ?

try it

ok i gotta swap pcs and such ty for the info =3 appreciate you i ask in another room and got banned for asking.

any nudges on web attacks skill assessment?
I've gotten through to where I have enumerated all the users but havent been able to circumvent the access denied when trying to use the reset password functionality with the intercepted admin token. im thinking it has to do with the PHPSESSID cookie but drawing a blank outside of that

Apps don't always use session cookies to authorize a user to make changes, they may use other kinds of identifiers. 😉

yeah, i think i understand what you're hinting at since the reset functionality first sends an api call to obtain a token and then uses that token against another api

i guess i'll look closer at the reset functionality to see what else i can figure out

holy sh1t, in the using web proxies module, the /lucky.php page you have to enable the button and repeat it. I searched after it and there was a guy who wrote he had to repeat it 40 times. I couldn't believe it until I had to repeat like 300 times to get the flag wtf

?

True luck

lol

i made a script which checked for a different than the usual response

py is great for things like this

Didn't work

I had to use the bult in emulation parrot box worked but

How would I get this working off a bare metal kali install

Should work just fine as long as you're connected to the vpn

¯_(ツ)_/¯

Ya its why I ask it works on the v box

But not on my real kali w the VPN up and I have used this before

Google gives zero info

It should work on your kali box

¯_(ツ)_/¯

just a quick question, is fuzzing for other APIs on this module going down the wrong path?

oh man. i got it.

if you come up with a reason let me know , i was doing it right it works on other boxes.

it works in general but does not work on (information gathering "web edition" if im using the phsyical box after question like 3 or 4 just shows cannot connect or error super weird

vm from them works (same network) so tech it should allow it. im stumped wont lie.

alrighty next modual x.x back to the grind.

How did you get the hash? Certipy is getting me nowhere

Anyone able to finish DACL Attacks II - Skills Assessment? I cannot get tangui's NT hash. I've tried certipy, secretsdump.py, and GetUsersSPNs.py. I feel like I'm out of options.

No inputs? 😔

should be normal shadowcredentials, what error are you getting?

i think 90% of the contents of the module matter, like maybe backing up & restoring, containerization aren't that necessary,
maybe the web services section tryina ask us about launching a server using npm isn't important but as to the rest i feel like they all matter to some extent, even task scheduling is a good skill to have,
after all this all helps you set up your workflow better

That's the thing, I'm not getting anything at all. No error messages, no hashes, just nothing.

sounds weird, did you try to reset the lab? maybe its not spun up correctly

🤔 I mean, I could

I've been going at this all day, I'll try it tomorrow. Mind if I DM you tomorrow if I run into a problem with it?

you can, but I didn't note anything down beyond "get hash via shadowcredentials"

please add "Introduction to Information Security" module to "Information Security Foundations" skill path

/feedback

done, thanks

Hello,
a little sanity check on "AD Enumeration & Attacks - Skills Assessment Part II" on this question "Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain. " i have a list of 2000+ from the domain and been using kerbrute for the passwordspraying. I have the right password i guess it but the passwordspraying is not returning any match.
anyone available for sanity chek please?

If you have the right pw, it'd return a result

yes it should but i am not having any match

i am getting this

Are you sure it's the right weak password

yes sure i can DM it to you

Maybe you need to add a ! at the end

yes the password is correct i successfully submit it in the plateform as you can see

I didn't say ok to dms

Sorry you right i shouldn't 🙂

Also maybe try different methods, like kerberoasting

No that's not the way to get it. Thanks for your help

There are a couple of ways to perform Shadow Cred Attack

You don’t need to be stuck with only one tool

If you have a password you can do it via the Windows Env which you might already be in

Might be your user list

That's the thing, I also used secretsdump.py, and GetUserSPNs.py, and I was getting nowhere.

It’s a shadow credential. There are three common tools that run it. One you already mentioned, there is another for Windows platform

You can run that executable in the RDP session you have

I can check my notes, but I’m pretty sure I did the same with one hit

You can run your spray over Netexec with your user list to be sure it will get you a hit

Yeah I know, mimiatz didn't give me anything either.

I might have done it using both Windows and Linux tools a week ago which I also noted down. But I’m not on my main machine now

No biggie

It’s not mimikatz

Oh 😳

https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials

Oh heck yeah! Thank you!

Hello, I'm doing the "Information Gathering - Web Edition" Module and I'm stuck in the vhost part and the web archives part from past 1 day. Can you help me to figure out the problem. Thank You.

what issue are you having with the vhost part?

I have added the ip and the domain name to the /etc/hosts but when i scan with gobuster it shows no results.

and when i do the same in the pwnbox it shows the same, no results.

show me the ss

okay

make sure you're not using the vpn and pwnbox at the same time

are you specifying the right port for the target?

I got the results.

Thanks @long kestrel @cloud urchin @sturdy laurel for trying to help me out.

i was using the ip for gobuster, it should be using the domain name.

the web archive stuff I remember just having to use wayback machine with the year and month indicated in each question. it was kind of tedious but they were pretty easy to find. I had an issue with one of the questions related to paypal where I had to copy/paste the answer from the site rather than typing it for it to mark as correct

yes im stuck in that, i tried to copy paste but its not working.

make sure there are no spaces in the beginning or at the end

Okayy, let me try it out.

Okay, its done finally.

😮‍💨

Hi, i am facing issues with question 2 of Wi-Fi Penetration Testing Basics - Skills Assessment. When ever it try to perform deauth attack after running airodump, i am facing an error that AP is on channel 1 and u r on a different one e.g. 2,4 etc

wlan0mon is on channel 6 but the AP uses channel 1

I have specifically started with channel 1 via following command

sudo airmon-ng start wlan0 1

Restarted the vm and the target as well; but still facing the same issue. Any help would be appreciated. Thanks

I am using the following command to perform the de-auth attack

sudo aireplay-ng -0 5 -a D8:D6:3D:EB:29:D5 -c 02:00:00:00:02:00 wlan0mon

Dear All,
i am facing issue for below Bash
#!/bin/bash

Count number of characters in a variable:

echo $variable | wc -c

Variable to encode

var="nef892na9s1p9asn2aJs71nIsm"

for counter in {1..40}
do
var=$(echo $var | base64)
done

please help for the code what we can use

it could be, you do need to add it to your hosts file for it to work

Yes i did the same with netexec but no hit either. I extracted all the domain users with netexec via rid-brute <huge numbre>

is there any best way to learn bash scripting before starting course from HTB

please advise

i really got stuck since morining

there's an intro to bash module

Hello! I'm stuck at guided debugging section. Could anyone help me please? (https://academy.hackthebox.com/module/227/section/2496)

I followed the debugging procedures but I implemented only 2 of them: cmp dword ptr ss:[rsp+0x30], 0x1 to cmp dword ptr ss:[rsp+0x30], 0x0 and jne shell.402CD0 -> Changed it jmp shell.402CD0 because the 3rd change (je shell.402F09 to jne shell.402F09 was still triggering Sandbox detection). This way I managed to get "connection sent to C2" (I assume it's okay that I don't get one from InetSim binary).

I set breakpoint on each "Sandbox detected" message and involved process (VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread), and the one straight after WriteProcessMemory. When I reach it, I open another x64 session and attach it to the notepad, then I copy the processes' address and find it the other tab as described in the section. However, after the process is executed nothing changes in the notepad session and the shellcode is not here. If I continue running the debugger it spawns C2 connection message and terminates if I click on it.

I'm really confused about this section, besides x64debugger scaling is cursed which makes it even more difficult. Will be really thankful for any hints😫

finnaly got it

If you have a valid credential you can just get a LDAP bind and query for users. No need to brute force RIDs. There are a couple of tools that will retrieve user names from LDAP with a valid credential

Got a question, are we allowed to publish the cheatsheets provided by hackthebox in academy?

i highly doubt it

At most just note it down

I thought it would be fun to make a page with htb cheatsheets

but only if its allowed tho

@storm elk Thanks god you're online

It would be the same as a writeup… https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

I'm sending you a DM please respond, related to Advanced SQL Injection module

I saw from message that you have completed that one

Uhhh I’m not at my computer

no worries let me know when you got access to your computer

I will wait

If anyone have completed the Advanced SQL Injections please let me know.
I have a question.

I managed to generate the ||secret_key|| but it doesn't seems to be working

I responded

Anyone I can DM for some guidance over XSS and CSRF Advanced exploitation? I feel I am close to get to moderator

My issue was solved, thanks @storm elk for quick response 🙏

Hey everyone can someone give little nudge about the foothold of linkvortex htb

#boxes

Morning

@high reef That's a Tier 3 module - please don't just paste content like that.

Ask for help without spoiling the process for others.

Same there @velvet socket - that's Tier 2

Ask for help, just no need for pasting content / attempts like that. Someone may be able to help via DM, just so it's not spoiling the content for others.

Yes i have turned off it

my bad

Anyone has any idea regarding this issue please ?

any Java DeObfuscation nudgers? I'm all the way to the skills assessment, and have de-obfuscated the code to render the variable flag like it's asked, but it's not accepting it.

Hi 👋guys I'm new here and zero experience please you guys should put me through

hello , https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

What module exactly?

Thanks boss

It's titled Javascript Deobfuscation

Buh

HI! Introduction to Malware, self assessment (https://academy.hackthebox.com/module/227/section/2498).

After which function in x64dbg should a breakpoint be placed to unveil the decrypted content of the .tmp file? Answer format: C__________t

Place a breakpoint at the ReadFile function of kernel32.dll. Then, click on the "Debug" button at the top and select “Run to user code”.

I had followed the hint and looked up a write-up, but don't understand how to get to the answer. Are there any traces in this function that lead me to it?

Can sm1 help me, idk how to access gen chat😭

You can DM

Is it normal that the machine spawn in the Linux fundamentals takes this long? :,b . And also is the pwnbox from HTB academy different from th one in HTB labs or enterprise?

You can try refreshing the page to see if it already loaded.
From Labs, yes. They are different.

Thank you

Hiii,
I've got a problem with the skill assesment of the wi-fi penetration testing basics.
It seems that I'm not capable to see a lot of frames from the access point HTB.
I need to capture the EAPOL to actually crack the passphrase.
I'm also not capable to do a deauth attack to the target.
Does anyone had an idea of where the problem could came ?
PS : there's an update after almost 3 hours and half...
https://cdn.discordapp.com/attachments/774040263278592041/1323700202221211711/image.png?ex=677771a1&is=67762021&hm=9a60e3ac674b974e990778452ed2e99c3ca97609145033c2bb6d8d86bf3ccff6&
https://cdn.discordapp.com/attachments/774040263278592041/1323700202477060147/image.png?ex=677771a1&is=67762021&hm=520f6596d07626b888122d6acfce0a90c7266b156e8305cf5c989b984c87b2d6&
https://cdn.discordapp.com/attachments/774040263278592041/1323700202745499729/image.png?ex=677771a1&is=67762021&hm=6b746520b123b474c4e073126a45b70408a62d0a96d23984a81d719e674d6fda&

Getting started module, im trying to connect via vpn to solve nibbles initial foothold but its not working changed everything possible but again its not working idk what is im doing wrong here

read and follow #welcome

Solved i was running another vpn connection and i didn’t know about it

In the "Exploiting SSTI - Twig" module I get the following. I think my payload is correct. Anyone help me?

update: Solved it.

guys i need help

i accidentally upgraded my membership at academy while having student subscriptioin

Reach out to support

if i cancel the membership will i get the money refunded

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Your best bet is reaching out to support

i just renewed the student membership yesterday

They don't monitor the discord

thanks

How long does it take them to reply? Do u guys know their operating hours?

Smh

Not sure why you go through this effort, are you this bored?

On another instance curl the image.php path

anyone else getting this when trying to log in ?

how can I contact support if I cannot even log in ?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

ah I see there is an email address, I will send it there

still very strange, it was working fine the whole day, then suddenly gone

Do someone use WPE Pro? I using it to cheat in a game and everything is working but after a few minutes it closes its self , sometimes after 5 minutes , sometimes after 40 minutes , so its random when it crashes/closes

Hello

@pseudo kiln the same for me

thanks for letting me know, so must be something on their end

Hello, in "PIVOTING, TUNNELING, AND PORT FORWARDING" in the "SSH for Windows: plink.exe" the plink command shows
Unable to open connection:
Host does not exist
But removing plink and simply SSHing works fine. Why does't plink work? And even with SSH -Ding into the host and proxifier running, I can't RDP as no route is found.

Any ideas?

I want to validate a flag :/

Well, probably not going to happen tonight, every time I write to support, it takes like 3 hours for a response

in test question ?

not just a VM flag

a can't signin now

I'm flagged like a bot

Is there a module that covers ldap in depth?

for this, i'd use the search functionality in the academy

Alright I'll give it a shot

after completing "Introduction to Web Applications" what next should i go to ?

https://academy.hackthebox.com/course/preview/active-directory-ldap

Thank you

Any reason why I am getting ignored today as well?

Probably because no one has been able to answer your question yet?

Morning / evening guys

help on discord for modules is voluntary

😦 I dont wanna skip the section just because it's not mandatory. and I can't seem to create a forum new post as well

Yup I know, but I thought the mods might not simply choose to ignore if they don't know. I might have a misunderstanding I am sorry

Thank you both of you 😊

Anyone having issue logging into HTB academy? I'm getting this...

Yeah lots of people atm

We mods are primarily there to support the community with questions about Discord.

https://letmegooglethat.com/?q=Unable+to+open+connection%3A+Host+does+not+exist 🙂

there are multiple possibilities to solve it, check them 🙂

HAHAHAHAAHHAHAAHAHAHAHAHAGAHAAHAHAHAHAHAAHAHAHAHHAHHAHAHAHAHAH. Thank you, I don't want to be sarcastic, so I'll stop replying.

But thank you @vocal ether and @dark hedge for that, I had a misunderstanding 😊

Payloader

I am on Passwords Attacks-PtT. Can someone please help me to understand why my PtT is not working via Rubeus but it does with Mimi+PowerShell?

Rubeous
rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:37fce45c095e09f2272f115552a1c48092d8fcc7c62fed8340acccf6fbd7f3de /ptt

Via Mimi+PS:
privilege::debug kerberos::ptt "C:\tools\[0;5a095]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi" kerberos::ptt "C:\tools\[0;5a095]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi" Powershell PS C:\tools> Enter-PSSession -ComputerName DC01

1st one gives me a [X] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED: error

Could be a tool issue? AES key is obviously correct.

Since it's kind of a general error and there are multiple possibilities, you should start debugging. 🙂

Does it return a valid tgt?

If so, might just be your session that's full of tickets and messing up

You can create a sacrificial process and try to perform again

well... I am able to import kirbi, via PowerShell

Thanks, I will give it a try.

Just curious... you prefer which method and why? mimi+powerShell? or Rubeus

debating if I should keep spining my wheels on testing Rubeous.

got the same

Generally for Tickets, I prefer Rubeus

why

More directed to Kerberos (tickets)

got it

Thanks

hackthebox block me because thinks that i am a bot

what can i do?

the password and email is correct

It’s a known issue atm. It’s being looked into

oh, now it works

Amazing

Interesting...it works this way: rubeus.exe ptt /ticket:"C:\tools\[0;5a095]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi" Then just connect via PowerShell. I think is some type of sync issue or maybe a pre-auth req? but if it works the other way, the account should not have pre-auth enabled, my opinion.

What Module and Section?
Might give it a go

PhT? Password Attacks. I would appreciate the 2nd opinion.

PtH

Is there going to be new modules about other topics . After information security module

This can be assumed.

wait for min

Im doing windows evasion module where i have to scan the exe using Threatcheck , but when im using Threatcheck it says
[+] No threat found!

although when i turned on the defender its getting flaged

also i scanned the mimikatz the threatcheck is working fine on that , but not the exe that i have build

I added the '-t ldap://dc01.inlanefreight.local' and I was able to extract a ticket.

ooo nice work! I'll give that a shot later today and see if it works for me too